Detect and report open online storages
Problem to solve
S3 buckets (or equivalent blob storages) are more and more used every day. They can be either private or public, depending on their configuration. Human errors can happen in these buckets configurations, leading to data leaks. GitLab should report when a public bucket is used to store data, and users should acknowledge this finding.
This issue is not about detecting blob storages token in the code, we have ~"secret detection" for that. This issue is about detecting if they are public, regardless of their access tokens being public or private in the code. These are two different problems.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Further details
One of our customers told us "we're always one rule away from having a public bucket instead of a private one". Since a lot of information about these buckets is stored in GitLab already, we could prevent disasters and notify developers about storage being open to public.
Proposal
There are probably many places where we can spot online storage configs:
- configuration files
- tokens in secrets
- secret variables
- TBD
Once detected, GitLab could perform queries on these storages to determine if files can be listed and/or data can be downloaded. That's also why I consider this feature as part of devopssecure and not ~"devops::defend", because we're only considering configuration issues, we're not responding to any external event that would lead to a data leak.
Permissions and Security
TBD with UX. I think a good MVP would be to have these findings reported like any other secrets.
Documentation
Update SAST and Secrets detection docs.
Testing
We can use a single open bucket to be detected in QA.
What does success look like, and how can we measure that?
- Number of open storages detected
What is the type of buyer?
Moonshot
If users are able to define project properties and context (see Govern), they could also be able to declare if projects can access public storage. Projects with explicit public accesses would not raise alerts.